in base 64 in IDP 3.4.0 responses

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|


 in base 64 in IDP 3.4.0 responses

Sam Buchanan
I've been testing IDP 3.4.0 snapshots, and I'm finding that parts of the signature and encrypted data in the response include XML-encoded carriage returns. It seems not unlike an issue addressed a few years ago https://issues.shibboleth.net/jira/browse/JSPT-50 but in a different area of the XML. I work with at least one SP will break on this if it remains in 3.4. Is there something I can do to prevent the 
 being generated? I'm unfamiliar with the codebase and haven't yet tracked down where they're introduced.

Sorry if this should go to another list. I can't tell where it's best to send questions about unreleased versions.

SAML response example, with some "..." abbreviations:

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response
    ID="_b9f88857a65dfde9454786e4e6887565"
    InResponseTo="_43d571f998bbd934ee064bba29ef63469eb93e3d9d"
    IssueInstant="2018-07-04T15:40:47.907Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://signonqa.domain/idp/shibboleth</saml2:Issuer>
    <ds:Signature
                xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
                Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
                Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference
                        URI="#_b9f88857a65dfde9454786e4e6887565">
<ds:Transforms>
<ds:Transform
                        Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
                    Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>/1TFvcwSkf1eyzTFnEJeDL1onQdXHloyiuFspKiCP7I=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
OGIPYFwFcSlrcRb9DDmUdnZZME4y0sMpLUmioXt5vrCUk1vg0XVUzSXRvvePl8yyy/KaNkH8XI1l&#xd;
wZyTSYe20XwLd3+LN8h59iNC791/qEg7yT+FhiH00xxg5lOBdwrhoWPZilgB4RhcpEhRYaENeCt5&#xd;
qCJd2e5m/Uf/CMC4XK93mqvqQDhpeKqsWjAw3rKPaA6qIfZjb8vQLPpJeRnPAgh7NCXWmYIT4EMe&#xd;
PJD0WP3W/Yxjy9ParsmzEDAb1bpYuS/Z0IEiIYSN0LncQplJDredu/qAufe/unh5sMXr8Vzbm/+7&#xd;
aJdMNfId46GP777KX5BJYq8apN/3+OmONNORbA==
</ds:SignatureValue>
<ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>MIIDNzCCAh+gAwIBAgIUZGP9KZJycCCasgIn1by4rR44RvowDQYJKoZIhvcNAQELBQAwHjEcMBoG
A1UEAwwTc2lnbm9ucWEubW5zdGF0ZS51czAeFw0xNzEyMTgwMzI1NTBaFw0zNzEyMTgwMzI1NTBa
MB4xHDAaBgNVBAMME3NpZ25vbnFhLm1uc3RhdGUudXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
...
TYRZQNwMYgL3R03DhRiFze7fgwmltF/Xnl8MSH03Ddl96YosK8c7k3IHmaMaWKxrpeoKMvVqiTWk
Mq2Y9ahrTuDTNmVunaZcYamkHV8JjZdna3tOrvItlm1OAD+ClZAatve++gwShQ1GsBTD5coTnqOb
sKW3Ss2FNS5N7dryjpNUkzerrFb9e9jpHNGn42Wl62s0+NHGX3rQ0EcK9thsb4Ok4Na/EP+UpozZ
0xmDmsHxwI4nE9iFdf3x0iKnTwp0S8/AC+AlnEw=</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <saml2p:Status>
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </saml2p:Status>
    <saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        <xenc:EncryptedData Id="_61631a441c457e33be9fa75f449f24bb"
            <xenc:EncryptionMethod
                Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <xenc:EncryptedKey
                    Id="_25197ef48d4df756d4928d53a2a5fb30"
                    <xenc:EncryptionMethod
                        Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                        <ds:DigestMethod
                            Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
                    </xenc:EncryptionMethod>
                    <ds:KeyInfo>
                        <ds:X509Data>
                            <ds:X509Certificate>MIID8DCCAtigAwIBAgIJAIahUxslYqbbMA0GCSqGSIb3DQEBBQUAMFgxCzAJBgNVBAYTAlVTMRIw
EAYDVQQIEwlNaW5uZXNvdGExEzARBgNVBAcTClNhaW50IFBhdWwxDzANBgNVBAoTBkpvYmxvZzEP
...
6zB2dsPglueHbD1kvhqvSKCUtgcCJIauYLaIEzY3Y/0e+mw6IBpXFMiayQ==</ds:X509Certificate>
                        </ds:X509Data>
                    </ds:KeyInfo>
                    <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                        <xenc:CipherValue>Lwv1flvfJNXx0rR2OmqHHeTb7tLhGMkS7oqESruJtiVSzBHWcw5ME/OM8YqZLCpfu89KmgtzYQ47&#xd;
eltlAvPImhDLhHuTs3920RdNkOIT/gLF3Wp3KWcP30qNgpmDUW2P3dZGV+cKoZsp6mCl1mT7zzq9&#xd;
8YvU5Ljlie1CPlVKDufFD7gOr1QXuWiPwNxw6QTFBuisZmKZYi+dxMLDi0zerL3SJ/J+6FnMtIvk&#xd;
D6K1DZztVr9PtoLecQ8ZbJ1vgbpxg7rqUX0A7YPGRps/PRTehOBDUDmMyaHLJoA5onCqAAUoCKlv&#xd;
hHckJPt9dm/RXvQRjjjcdv6un5wlLNYdQWMpFA==</xenc:CipherValue>
                    </xenc:CipherData>
                </xenc:EncryptedKey>
            </ds:KeyInfo>
            <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                <xenc:CipherValue>Hbblx/phsxSe9uWeIkNSIAH0QJBubGp/Rv5Afd3lyKUCm1wOpfapixtmorWse9Sz1bXTiU+gkWBh&#xd;
rGwiX+oF3K44MLmj3DTxKjGZEz9sQIdEwTuiRxa8823iefW4xKsYwLv2d5txnijqVF6u+7FY1KJz&#xd;
4IJKW5uGYH1PbQAYfo7sEu99JBXTSkAuZpVQuix/xmdekIe+TfNv/crKYPjbcd3egDp/IHbu8sbn&#xd;
Bn+R0OUaL+KVOsAMsAEipaR+OnSfRIJoRraMyp/XmC8W3L53tGIay10+Z46KAFoZdE6OlCb+mMyp&#xd;
CGIZh4SFicOLaCZdQ7uvjr2RRNwvn4lUTcagdrgwMRqxFDSeqW3miOHIQVYK/yyELhHE+RhBCAOe&#xd;
...
eFUKR8nIaJwnEC8x+V2ax43v2tKUlXiAV1KeNUTLwA6kNycokgcx9nCeu8WYSxUzDepHBn/wWJxy&#xd;
E7PfkQhQln9MT1ZdcsQnXND2xHckNtJqEUBDrVF5naYljPg1pmL5d6uJa/UHGC85Z0l3ixUx8Fip&#xd;
AFqqqbM=</xenc:CipherValue>
            </xenc:CipherData>
        </xenc:EncryptedData>
    </saml2:EncryptedAssertion>
</saml2p:Response>

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: &#xd; in base 64 in IDP 3.4.0 responses

Cantor, Scott E.
> Sorry if this should go to another list. I can't tell where it's best to send
> questions about unreleased versions.

dev or just file a bug.

Santuario changed the line ending in the base64 encoder back in 2.0.7, and V3.3 of the IdP is on 2.0.5 so we haven't had to address the issue yet in a shipping version.

I believe Colm either reverted the change or added a property to control it and one way or the other by the time we ship it will likely be doing what it did before, but you should file a bug against 3.4 and mark it Blocker so it isn't forgotten.

That said, if we had shipped this, we would be within our rights. That SP is broken and we don't make working around such bugs a priority.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]